US intelligence targets advanced security management of virtual systems

Looking to lock down government cloud-based resources in particular, researchers from the Intelligence Advance Research Projects Activity this week announced a program that will develop better technology to manage and secure Virtual Desktop Infrastructure environments. +More on Network World: Gartner: Virtual personal health assistants and other technology eliminate the physician for annual exams+ The advanced research arm of the Office of the Director of National Intelligence rolled out the Virtuous User Environment (VirtUE) program which the agency says “is looking to use the federal government’s impending migration to commercial cloud-based IT infrastructures and the current explosion of new virtualization and operating system concepts to create and demonstrate a more secure interactive user computing environment than the government has had in the past or likely to have in the near future.”To read this article in full or to leave a comment, please click here

US intelligence targets advanced security management of virtual systems

Looking to lock down government cloud-based resources in particular, researchers from the Intelligence Advance Research Projects Activity this week announced a program that will develop better technology to manage and secure Virtual Desktop Infrastructure environments. +More on Network World: Gartner: Virtual personal health assistants and other technology eliminate the physician for annual exams+ The advanced research arm of the Office of the Director of National Intelligence rolled out the Virtuous User Environment (VirtUE) program which the agency says “is looking to use the federal government’s impending migration to commercial cloud-based IT infrastructures and the current explosion of new virtualization and operating system concepts to create and demonstrate a more secure interactive user computing environment than the government has had in the past or likely to have in the near future.”To read this article in full or to leave a comment, please click here

Windows users face update bloat, and tough choices

Windows 10's cumulative updates have ballooned in size, and a similar bloat will also affect the Windows 7 updates that Microsoft revamped this month.According to data published last month by LANDesk and refreshed by Computerworld with October's numbers, Windows 10 cumulative updates for the three versions of the new OS have surged in size.Updates for Windows 10 version 1507 -- the debut that launched in July 2015 -- have grown 153% (for the 32-bit edition) and 181% (64-bit), from 184MB and 368MB to 466MB and 1,034MB (or over a gigabyte), respectively, in just over a year.Those for version 1511 -- Windows 10's first "feature update," issued in November 2015 -- exploded in comparison: The first 64-bit 1511 update was 49MB, but the cumulative update released earlier this month was a whopping 989MB, for a growth rate of 1,918% in under 12 months.To read this article in full or to leave a comment, please click here

Stupid encryption mistakes criminals make

Writing secure code can be challenging, and implementing cryptography correctly in software is just plain hard. Even experienced developers can get tripped up. And if your goal is to swindle people quickly, not to wow them with the quality of your software, there are sure to be serious crypto mistakes in your code.Malware authors may provide significant lessons in how not to implement cryptography. Such was the upshot of research by Check Point’s Yaniv Balmas and Ben Herzog at the recent Virus Bulletin conference in Denver. Malware authors may be more likely to insert crypto doozies in their code than developers working on legitimate software because they may not care as much about code quality or design, said Balmas and Herzog. These criminals are focused on getting a product that does enough to satisfy their immediate requirements -- and no more.To read this article in full or to leave a comment, please click here

Apple Pay at two years: Not much to celebrate (yet)

Apple Pay marks its two-year anniversary this week, and while it supposedly helped spark a revolution for in-store mobile payments, there's not much celebrating by Apple or its payments rivals. While Apple, Samsung Pay, Android Pay and many others keep adding users, the rate of adoption is far below what was expected when Apple Pay arrived on Oct. 20, 2014. More worrisome is the low repeat-user rate. Many consumers will sign up for a payment app and try it out with contactless technology like Near Field Communications (NFC) on a smartphone once to buy something in a store. After that, many don't bother to do it a second time, because it is just too easy to use a credit or debit card -- or even cash, according to a recent survey.To read this article in full or to leave a comment, please click here

10 PC programs Windows 10 renders obsolete

Pedal to the metalImage by ThinkstockFor as long as Windows has existed, third-party programs have sprouted up to fix its most glaring headaches and omissions—only to be eventually squashed when Microsoft corrected course. Several of those programs, from PDF readers to ISO mounting tools to file management boosters, became unnecessary when Windows 8 rolled out. But Microsoft’s relentless axe didn’t stop there.To read this article in full or to leave a comment, please click here

In three debates, H-1B visa untouched by Clinton and Trump

In three presidential debates, including the final one Wednesday night, the two candidates did not talk about the H-1B visa program. This was the last opportunity for Donald Trump and Hillary Clinton to compare and contrast what may be tech's most controversial issue.The portion of the debate set aside Wednesday night for immigration quickly shifted to a discussion about hacked emails and Kremlin meddling. Fox New anchor Chris Wallace may be criticized for allowing this portion of the debate to run off the rails, but the person who deserves the most blame is Trump, the Republican nominee.Trump had everything to gain by raising the temporary visa issue and its use in offshore outsourcing. The tech industry has thrown its financial support behind Clinton, the Democratic nominee.To read this article in full or to leave a comment, please click here

The first things to do with your new Pixel phone

Pixel PerfectImage by Derek WalterIt’s finally here.The new Google Pixel is in your hands and ready to deliver on the promise of Google-designed smartphone bliss. There’s a lot to unpack, even if you’ve already been down the Nexus road before. Google has taken the integration of Android and hardware to a new level, and there are a lot of little features hiding just underneath the surfaceTo read this article in full or to leave a comment, please click here

Intel’s $1.4B antitrust verdict should be reviewed, top EU judge says

Intel's hope of recovering a record antitrust fine have improved with a recommendation from a top European Union judge on Thursday that the case be reviewed.The company paid the €1.06 billion (then US$1.4 billion) fine in 2009 after the European Commission found it guilty of abusing its dominant position in the market for x86 processors. Since then, it has been seeking to have the judgment overturned, first by the EU's General Court and then, since 2014, by the EU's highest legal authority, the Court of Justice.The CJEU heard that appeal in June, and now Advocate General Nils Wahl has issued his recommendation to the court. The opinions of the court's advocates general are not binding, but it often follows them.To read this article in full or to leave a comment, please click here

Here’s how Google is overhauling its cloud storage offerings

There are big changes afoot for Google Cloud Platform's storage offerings. On Thursday, the company announced a complete overhaul of the storage options available to customers, complete with new storage tiers and reduced pricing.Customers that need incredibly high availability storage can use Google's new fully managed Multi-Regional Cloud Storage service, which will replicate data across multiple Google Cloud data centers in different areas for high-uptime access. On the opposite end of the spectrum, the company also launched a new Coldline storage service that's designed for data accessed less than once a year like backups.The storage changes are part of Google’s overall pitch to capture businesses in a highly-competitive cloud market. Managed, multi-region storage will be helpful for customers who don’t want to worry about reliability, and the new Coldline storage will help GCP compete with other cold storage offerings like Amazon Glacier.To read this article in full or to leave a comment, please click here

Do You Use SSL between Load Balancers and Servers?

One of my readers sent me this question:

Using SSL over the Internet is a must when dealing with sensitive data. What about SSL between data center components (frontend load-balancers and backend web servers for example)? Does it make sense to you? Can the question be summarized as "do I trust my Datacenter network team"? Or is there more at stake?

In the ideal world in which you’d have a totally reliable transport infrastructure the answer would be “There’s no need for SSL across that infrastructure”.

Read more ...

Apple to unveil new Macs at special media event on Oct. 27

At long last, Apple has plans to refresh its beleaguered Mac lineup. Late yesterday afternoon, Apple sent invitations to select media outlets for a special Mac-oriented event that will take place next Thursday at 10 a.m. PT at 1 Infinite Loop.The upcoming event will focus largely on refreshed Macs and will likely be anchored by a completely revamped MacBook Pro. According to various rumblings from the rumor mill, Apple's upcoming MacBook Pro will not only have upgraded internals, but it will feature an OLED touch panel located at the top of the keyboard in place of where the function row resides.One of the more intriguing benefits of an OLED touch panel built directly into the keyboard is that the keys themselves would presumably be able to adjust in real time to correspond to the demands of the user or a specific application. For example, if you have Netflix running, the OLED touch panel would display Netflix-centric commands to provide a more efficient and intuitive user experience.To read this article in full or to leave a comment, please click here

Gone Fishin’

Well, not exactly Fishin', but I'll be on a month long vacation starting today. I won't be posting (much) new content, so we'll all have a break. Disappointing, I know. Please use this time for quiet contemplation and other inappropriate activities. See you on down the road...

Vagrant-Photon OS Bug and Workaround

I recently came across a bug in using VMware Photon OS with Vagrant, and so in this post I’m going to point out this bug and provide a workaround. The bug is, fortunately, pretty innocuous, and only affects Vagrant environments that configure additional network interfaces to Photon OS VMs. The workaround is equally easy, thankfully.

First, I’ll point out that the fix for this bug has already been pushed to Vagrant, but it hasn’t yet (as of this writing) made it into a release. Vagrant 1.8.6 was the latest release of this writing, and it still exhibits the bug.

There are a number of somewhat-interrelated issues:

  1. First, the “vagrant-guests-photon” Vagrant plugin (latest version is 1.0.4) is no longer needed. This code has been replaced by code that is distributed as part of Vagrant itself. This wouldn’t normally be an issue, except that…

  2. The plugin relies on awk, which is no longer included in recent releases of the Photon OS Vagrant box. I can’t tell you exactly when this started, but I can confirm the last couple of releases (1.2.0 and 1.2.1) are definitely affected.

  3. Finally, the code which replaces the Continue reading

Cliché: Security through obscurity (again)

This post keeps popping up in my timeline. It's wrong. The phrase "security through/by security" has become such a cliché that it's lost all meaning. When somebody says it, they are almost certainly saying a dumb thing, regardless if they support it or are trying to debunk it.

Let's go back to first principles, namely Kerckhoff's Principle from the 1800s that states cryptography should be secure even if everything is known about it except the key. In other words, there exists no double-secret military-grade encryption with secret algorithms. Today's military crypto is public crypto.

Let's apply this to port knocking. This is not a layer of obscurity, as proposed by the above post, but a layer of security. Applying Kerkhoff's Principle, it should work even if everything is known about the port knocking algorithm except the sequence of ports being knocked.

Kerkhoff's Principle is based on a few simple observations. Two relevant ones today are:
* things are not nearly as obscure as you think
* obscurity often impacts your friends more than your enemies
I (as an attacker) know that many sites use port knocking. Therefore, if I get no response from an IP address (which I have reason Continue reading

LinkedIn blames Russian hacking suspect for 2012 breach

A suspected Russian hacker arrested recently in the Czech Republic was involved in a massive 2012 data breach at LinkedIn, the professional social networking company says. LinkedIn said Wednesday that it has been working with the FBI to track down the culprits behind the data breach, which exposed hashed passwords from 117 million accounts."We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity," LinkedIn said in an email.To read this article in full or to leave a comment, please click here

1 2,356 2,357 2,358 2,359 2,360 3,612